Twenty Year Anniversary

FreeBSD Security Advisory - FreeBSD-SA-16:24.ntp

FreeBSD Security Advisory - FreeBSD-SA-16:24.ntp
Posted Jun 6, 2016

FreeBSD Security Advisory - Multiple vulnerabilities have been discovered in the NTP suite.

tags | advisory, vulnerability
systems | freebsd, bsd
advisories | CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, CVE-2016-4957
MD5 | fce94472a944196f57b09c666a948569

FreeBSD Security Advisory - FreeBSD-SA-16:24.ntp

Change Mirror Download
Hash: SHA512

FreeBSD-SA-16:24.ntp Security Advisory
The FreeBSD Project

Topic: Multiple vulnerabilities of ntp

Category: contrib
Module: ntp
Announced: 2016-06-04
Credits: Network Time Foundation and various contributors listed below
Affects: All supported versions of FreeBSD.
Corrected: 2016-06-03 08:59:21 UTC (stable/10, 10.3-STABLE)
2016-06-04 05:46:52 UTC (releng/10.3, 10.3-RELEASE-p5)
2016-06-04 05:46:52 UTC (releng/10.2, 10.2-RELEASE-p19)
2016-06-04 05:46:52 UTC (releng/10.1, 10.1-RELEASE-p36)
2016-06-03 09:03:10 UTC (stable/9, 9.3-STABLE)
2016-06-04 05:46:52 UTC (releng/9.3, 9.3-RELEASE-p44)
CVE Name: CVE-2016-4957, CVE-2016-4953, CVE-2016-4954, CVE-2016-4955

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:>.

I. Background

The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
used to synchronize the time of a computer system to a reference time

II. Problem Description

Multiple vulnerabilities have been discovered in the NTP suite:

The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that could cause ntpd to
crash. [CVE-2016-4957, Reported by Nicolas Edet of Cisco]

An attacker who knows the origin timestamp and can send a spoofed packet
containing a CRYPTO-NAK to an ephemeral peer target before any other
response is sent can demobilize that association. [CVE-2016-4953, Reported by
Miroslav Lichvar of Red Hat]

An attacker who is able to spoof packets with correct origin timestamps
from enough servers before the expected response packets arrive at the
target machine can affect some peer variables and, for example,
cause a false leap indication to be set. [CVE-2016-4954, Reported by
Jakub Prokes of Red Hat]

An attacker who is able to spoof a packet with a correct origin timestamp
before the expected response packet arrives at the target machine can
send a CRYPTO_NAK or a bad MAC and cause the association's peer variables
to be cleared. If this can be done often enough, it will prevent that
association from working. [CVE-2016-4955, Reported by Miroslav Lichvar
of Red Hat]

The fix for NtpBug2978 does not cover broadcast associations, so broadcast
clients can be triggered to flip into interleave mode. [CVE-2016-4956,
Reported by Miroslav Lichvar of Red Hat.]

III. Impact

Malicious remote attackers may be able to break time synchronization,
or cause the ntpd(8) daemon to crash.

IV. Workaround

No workaround is available, but systems not running ntpd(8) are not
affected. Network administrators are advised to implement BCP-38,
which helps to reduce the risk associated with the attacks.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

The ntpd service has to be restarted after the update. A reboot is
recommended but not required.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

The ntpd service has to be restarted after the update. A reboot is
recommended but not required.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch
# fetch
# gpg --verify ntp.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:>.

Restart the applicable daemons, or reboot the system.

VI. Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r301257
releng/9.3/ r301301
stable/10/ r301256
releng/10.1/ r301301
releng/10.2/ r301301
releng/10.3/ r301301
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://

Or visit the following URL, replacing NNNNNN with the revision number:


VII. References






The latest revision of this advisory is available at
Version: GnuPG v2.1.12 (FreeBSD)



RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?

Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By